A good friend once said that friends don’t let friends reuse passwords. This sage advice is as true now as it was then. Perhaps even more so.

This week we were once again reminded why reusing passwords is a very bad idea. Yahoo! just announced that its entire database of users was breached way back in 2014, resulting in over 500 million logins being sold on the black market.

These login details contain enough information for an attacker to discover your Yahoo! password, and if you’re using this same password on other web sites, they will be able to log in as you on those sites as well.

Depending on how many Yahoo! services you depend on (such as Flickr), you may or may not be alarmed, but if you reused your password on other websites, you really should be.

Password reuse is scary

I’ve had a Yahoo! account for longer than I care to admit. I believe I created mine in 1999. Times were simpler back then and I didn’t have anything that needed to be protected – or so I thought.

I didn’t take my security that seriously at the time so I did what I always did for all my accounts and signed up using the one single password that I used everywhere: 909at89.

After a while, I stopped using Yahoo but I continued reusing my password wherever I went. Years later my Yahoo! account was broken into and I got lucky – the thief only cared about sending spam and never bothered to change my password to lock me out. 1Password was a daily part of my life by that time so I updated my Yahoo! password to NigEAKnb6cfaEpqKxWDGJPVi7Ld and moved on.

My Yahoo! account was now safe but my silly old password still survived on many other websites. I even used my ridiculously weak password for the company web server that was setup before 1Password even existed.

Even though I had already changed my Yahoo! password, the thief could have easily taken over my other accounts. If I was “famous”, things could have turned out much differently.

Protecting Yourself

If you have a Yahoo! account it’s time to fire up the Strong Password Generator and change your password to one that’s unique to Yahoo! and Yahoo! alone.

This a good first step and it’s only the beginning. The next step is to find all the other sites where that password was used and update them as well. You can use 1Password to search for your original password and update every site that matches.

You can also use Security Audit to find other reused passwords. And while you’re there you might as well check the Weak Passwords section to see which sites have lame passwords. You might be surprised at what you find ?

Protecting Your Team and Business

The scariest part of password reuse is it becomes second nature and before long reused passwords start appearing in unexpected places. The website you thought was protected ends up being an open door.

This is exactly what happened to me before 1Password existed and I shudder at what could have happened if I didn’t change my ways. I would feel terrible if anything ever happened to my colleagues as the result of me reusing passwords. Part of my responsibility of being on any team is using strong passwords like these:

As 1Password user, you already know that having unique passwords like this for every site is super simple – it’s literally easier to be secure with 1Password than being insecure without it.

When you’re on a team it’s not enough just for you to follow safe password practices. Your teammates might be reusing passwords because they believe it’s easier, putting the entire team in danger.

If your team is reusing passwords, emailing them to each other, or collecting them in an Excel spreadsheet, you’re likely to be in the news in the future – and not for the right reasons! ?

This is why we created 1Password Teams – to help you and your entire team make doing the right thing the easy thing. With 1Password Teams, everyone in your team can be the strongest link.

As luck would have it, our Teams special launch special is still available: until October 15th you and your entire team will get all the features of our Pro plan for the very low price of the Standard plan. If your team isn’t using 1Password already, be a hero and sign your team up.

The internet has come a long way in the last 20 years and we all need to evolve our security practices to stay safe, both in our personal and professional lives. Bad habits that we learned years ago simply have no place today.

All this talk of password reuse and reminiscing has me feeling nostalgic. It’s time I reach out to my dear old friend and thank him for inspiring today’s post. ❤️

Good post, made me make some changes. But neither your weak nor duplicated passwords tools spotted passwords that are similar (eg a root of some kind plus site-specific differences). My guess is these are problematic and likely easy for hackers to have a reasonable chance of cracking… I have to go through one by one and do a “reveal”, then change if appropriate. Any chance of checking some of these common patterns?

Good morning, Chris. Thanks for giving me the opportunity to answer such a great question ?

You’re right, neither of our current tools will detect your scheme so your passwords will not be highlighted as being weak. Our duplicate password tool is very selective in what it will show – only items with identical passwords will be included. And the weak password detector determines strength by looking at each password individually, so it won’t detect your pattern.

Your idea detecting root password prefixes is a neat one. We could look at all your items as a whole and assign a penalty when a pattern is detected. That would be a fun project someday so we very well might enhance the weak password algorithm in the future to do this.

What you can do in the interim is search all of 1Password for your common “root” password prefixes. That would save you from inspecting every single item individually.

I’ve been using unique passwords for every site ever since I started using the Internet, and have used many different systems for remembering those passwords, but they were all still pretty weak. Writing them down has obvious downsides; using a “formula” seemed like a good idea, but these days a formula can easily be figured out by a dedicated hacker; I then settled on a hybrid of the two systems using a PasswordCard plus a mental formula, but that proved to be anooying and unwieldy, especially when it came time to change passwords due to breaches.

Ultimately, I’m happy with 1Password, because it makes things easy. I only have to remember one very strong password, and can quickly change passwords when necessary. In this Yahoo breach, for example, I changed my password even though I wasn’t affected, and it took me seconds to generate and save a new one. Much faster and more secure.

Thank you for sharing your story with us. I’m really happy to hear you’re enjoying 1Password!

I also experimented with the formula approach years ago before 1Password and I found exactly the same problem: whenever I needed to change a password I was forced to adapt my algorithm. Plus it got annoying needing to think every time I wanted to log in to website. And at the end of the day, typing passwords is not that much fun so I prefer to let 1Password do it for me ?